in UserCounterListener.java

  // Workaround for Jetty bug (http://www.nabble.com/current-user-count-incorrect-tf3550268.html#a9919134)
The workaround block has to be removed and use the following instead.

    public void attributeAdded(HttpSessionBindingEvent event) {
        if (event.getName().equals(EVENT_KEY) && !isAnonymous()) {
            SecurityContext securityContext = (SecurityContext) event.getValue();
            if (securityContext.getAuthentication().getPrincipal() instanceof User) {
                User user = (User) securityContext.getAuthentication().getPrincipal();
                addUsername(user);
            }
    }

The original workaround block as attached below will create a new "User" object
        // Workaround for Jetty bug (http://www.nabble.com/current-user-count-incorrect-tf3550268.html#a9919134)
        } else if (event.getName().equals(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY)) {
            String username = (String) event.getValue();
            User user = new User(username);
            addUsername(user);
        }

A second call will be made and the right user contains full user information won't be added. (User.hashCode is using the username's hashCode). Removing that block seems to be working correctly using jetty as well as tomcat.